Outdated SOHO routers and IoT devices being hijacked by TheMoon to operate an anonymous hacker botnet service called Faceless.

Dark Reading Staff, Dark Reading

March 29, 2024

1 Min Read
Full moon against Chilkat Mountains and Lynn Canal in Southeast Alaska
Source: Design Pics Inc via Alamy Stock Photo

After disappearing for several years, TheMoon has returned with a botnet army around 40,000 strong, made up of hijacked small home and office (SOHO) devices and available for hire as a proxy service for cybercriminals looking to obscure their traffic origins.

The cybercrime botnet service, called Faceless, costs less than a dollar per day, according to the researchers at Lumen Technologies' Black Lotus Labs, who are warning about the return of TheMoon after the malware group disappeared in 2019, before reemerging back on the scene in 2023. By the beginning of 2024, TheMoon had amassed bots from across 88 countries to operate its Faceless service.

"We believe these cybercriminals [using Faceless] are using these networks to steal data and information from their victims, including the financial sector," Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs, said in a statement. "TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network."

John Gallagher, vice president of Viakoo Labs at Viakoo, noted that the types of endpoints that TheMoon looks to bring to the dark side are somewhat sitting ducks.

"IoT devices are designed to be 'set it and forget it,' leading to their being favored by threat actors even if they are not end of life (they are likely to be unmanaged and not updated)," he said in an emailed statement. "This is a much bigger issue for enterprises than consumers. The operators of IoT devices are often cost centers, and there's an incentive to not replace equipment unless it isn’t functional anymore. Enterprises offer vast fleets of IoT devices for threat actors to leverage for DDoS and other attack vectors." 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights